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A new variant of the SubSeven Trojan Horse has been discovered in the wild. This malicious computer 
code could constitute a new threat of distributed denial of service (DDoS) attacks. DDoS attacks were 
responsible for serious disruptions of several major e-commerce web sites in February 2000. The NIPC 
and industry partners believe that this new variant may be used to conduct further DDoS attacks which 
may be more difficult to detect. 

Internet Security Systems Inc. (ISS) indicates that the new variant of SubSeven, named DEFCON8 2.1, 
has been distributed on Usenet news groups with an executable filename of "SexxxyMovie.mpeg.exe." 

ISS believes that individuals are using this Trojan to test new distributed denial of service methods. More 
information can be obtained from the ISS web site at http://xforce.iss.net/alerts/advise65.php 

The NIPC has independently determined that this variant of SubSeven works on Windows 95, Windows 
98 and Windows ME. Previously released variants of SubSeven have allowed remote attackers to obtain 
all cached information including, for example, passwords, play audio files, access a webcam, and capture 
screenshots. Upon execution of the "SexxxyMovie.mpeg.exe," a copy of the executable is renamed using 
a random name/number scheme and placed in the c:\windows directory. After the Trojan copies itself, an 
entry is placed within the registry and system.ini to start the Trojan process with every boot of Windows. 
Subseguently the Trojan deletes itself, thus leaving only the newly created Trojan filename within 
Windows. This variant of SubSeven joins an IRC (Internet Relay Chat) channel on irc.icg.com to notify 
intruders via IRC or ICQ when new computers are infected. This variant of SubSeven listens on port 
16959 or the default port 27374. 

The NIPC and others are currently in the process of analyzing the Trojan's code to identify its purpose. 

ISS provided a copy of the binary code to the NIPC for further distribution to CERT/CC and the greater 
anti-virus community. The anti-virus software industry has been notified of the new variant and will test 
the new variant against their existing SubSeven Dat files which they believe will pick up this malicious 
code. Full descriptions and removal instructions of a number of variants can be found at various anti-virus 
software firms web sites, including the following: 

http://www.symantec.com 
http://www.nai.com (McAfee) 
http://www.antivirus.com (Trend Micro) 
http://www.fsecure.com 
http://www.sophos.com 

As always, users are advised to keep their anti-virus software current by checking their vendors' web sites 
frequently for new updates, and to stay apprised of alerts from NIPC, CERT/CC, and other cognizant 
organizations. 

Please report any illegal or malicious activities to your local FBI office or the NIPC, and to your 
military or civilian computer incident response group, as appropriate. Incidents may be reported 
online at http://www.nipc.gov/incident/cirr.htm . 


